The pslist command lists the current processes running in memory. This plugin outputs the offset, process name, process ID (PID), the number of threads and handles, and the date and time the process started and exited. Because the pslist plugin walks the doubly-linked list indicated by PsActiveProcessHead, it does not have the ability to detect hidden or unlinked process. To execute the plugin, enter the following into the Command Prompt:

forensics@ubuntu:~/Documents$ volatility -f stuxnet.vmem --profile=WinXPSP2x86 pslist

The command produces the following output:

Comparing the results to those that were located in the Redline example, ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.